Extending Next Generation FortiGate Firewalls to Kubernetes With Calico Enterprise

Container use continues to grow, and Kubernetes is the most widely adopted container orchestration system, managing nearly half of all container deployments. Nearly every enterprise on the planet is at some stage in their Kubernetes journey. Kubernetes’ greatest value in the enterprise is achieved when it becomes an integrated component within the existing IT environment. Successful integration of Kubernetes and container services within the enterprise depends heavily on access to external resources such as databases, cloud services, third-party application programming interfaces (APIs), and other applications. All this egress activity must be controlled for security and compliance reasons.

The Challenge: Kubernetes Requires a Different Approach to Access Control

Traditional IP-based access control doesn’t work in Kubernetes, where workloads are ephemeral, typically stateless, and use short-term IP addresses. Kubernetes workloads make heavy use of the network and generate a lot of east/west traffic. Firewalls don’t have the context required to understand Kubernetes traffic (namespace, pod, labels, container id, etc.). If you are deploying a conventional firewall within your Kubernetes architecture, you will lose all visibility into this traffic. This makes it impossible to troubleshoot networking issues, perform forensic analysis, or report on security controls for compliance.

While the Tigera Calico Enterprise security management interface provides customized control within the Kubernetes environment, using Calico Enterprise security in isolation from existing enterprise network security leaves organizations with disparate policy-enforcement approaches that introduce unwanted complexity. Maintaining two separate network security systems also hinders visibility into routing and connectivity within and between Kubernetes clusters. This complicates the process of troubleshooting issues that span Kubernetes and external environments.

Visibility into Kubernetes Infrastructure is Essential

Lack of visibility also has compliance implications. Like any on-premises or cloud-based networked services, Kubernetes production containers must address both organizational and regulatory security requirements. If compliance teams can’t trace the history of incidents across the entire infrastructure, they can’t adequately satisfy their audit requirements.

To enable the successful transition of Kubernetes pilot projects to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. In response, Fortinet and Tigera jointly developed a suite of Calico Enterprise solutions for the Fortinet Security Fabric that deliver both north-south and east-west visibility, as well as compliance enablement and advanced threat-intelligence capabilities for Kubernetes clusters. Fortinet customers can extend their network security architecture to their Kubernetes environments to protect their Kubernetes-based infrastructure.

The Tigera and Fortinet joint solution supports all cloud-based and on-premises Kubernetes environments. With this architecture, Calico Enterprise will map security policies from FortiManager into each Kubernetes cluster in the cloud or on-premises. The joint solution enables Fortinet customers to enforce network security policies for traffic into and out of the Kubernetes cluster (North/South traffic) as well as traffic between pods within the cluster (East/West traffic).

Learn more in the Fortinet and Tigera webinar on June 17: Extending Your FortiGate Next-Gen Firewall to Kubernetes.

Key Fortinet and Tigera Integrations

Fortinet and Tigera have jointly developed four integrations that help ensure consistent visibility, control, security, and compliance:

1. FortiManager Calico Kubernetes Controller enables Kubernetes cluster management from the FortiManager centralized management platform in the Fabric Management Center. This Fabric Controller translates FortiManager policies into granular Kubernetes network policies and pushes them out to the individual clusters in all Kubernetes environments. The Kubernetes environment becomes an integral part of the Fortinet Security Fabric and can be seen and controlled from the FortiManager console.

2. FortiGate Calico Kubernetes Controller enables FortiGate next-generation firewalls (NGFWs) to control egress from Kubernetes pods to applications. It does this by automatically populating Kubernetes workload source IPs in FortiManager address group objects. FortiManager then deploys the updated object packages to FortiGate, so that FortiGate can enforce the access rules. Developers who add new containers to a Kubernetes pod can use business-level tags (such as department name or role) to identify them and rely on the controller to handle the underlying access rule configurations.

3. FortiGuard Threat Feed integration enriches the Calico Enterprise threat database with global real-time threat intelligence from FortiGuard Labs. Calico Enterprise users gain broader protection from malicious traffic at the source in the Kubernetes cluster. For FortiGuard subscribers, this integration ensures that the most robust protection will cover their Kubernetes environment as well, at no additional cost.

4. The Calico FortiSIEM plug-in event correlation and risk management solution delivers the telemetry (metadata) that Calico Enterprise creates—including DNS logs, flow logs, and audit logs—into the Fortinet security information and event management (SIEM) environment. This helps security operations (SecOps) teams leverage FortiSIEM to better design and automate their workflows for incident response.

How Do These Integrations Benefit Fortinet and Tigera Customers?

Fortinet Dynamic Cloud Security solutions integrated with Tigera Calico Enterprise bring Kubernetes deployments into the Fortinet Security Fabric. Organizations migrating to Kubernetes architectures maintain their security posture and ensure the successful adoption of the Kubernetes platform throughout the enterprise. This results in a collaborative security culture that ensures that security success is jointly owned by Platform, Security, Compliance, Networking and DevOps teams.

On an operational level, integration between Fortinet and Tigera technologies provides the comprehensive insight needed to speed up troubleshooting and reduce mean time to resolution. These integrated technologies also reduce operational complexity, which lowers staff and training costs and minimizes configuration errors that can add significant attack risk to the organization. Security architects can also show proof of the reduced risk in a timely fashion to comply with corporate and regulatory data protection rules.

----------------------------------------------------------------------------------------------------------------------

To learn more, please join Fortinet and Tigera for our June 17 webinar: Extending Your FortiGate Next-Gen Firewall to Kubernetes.